Can't connect using cafile

[cmanzur]

SUMMARY

I'm using a self signed Certificate.
If I don't specify cafile the error is:
ConnectionError([SSL: CERTIFICATE_VERIFY_FAILED] self signed certificate in certificate chain ...)

If I use cafile the error is:
fatal: msg: Elastic error: /usr/local/share/ca-certificate/ca.crt
(which is the PATH of the CA on my host)

The CA is already loaded in the host update-ca-certificates

How can I verify the CA? Or set verify_certs = False as a workaround?

ISSUE TYPE

• Bug Report

COMPONENT NAME

elastic_common.py

ANSIBLE VERSION

ansible [core 2.13.2]
  config file = None
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.8/dist-packages/ansible
  ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/bin/ansible
  python version = 3.8.10 (default, Jun 22 2022, 20:18:18) [GCC 9.4.0]
  jinja version = 3.1.2
  libyaml = True

COLLECTION VERSION

community.elastic     0.0.1  
community.general     5.3.0  

OS / ENVIRONMENT

Ubuntu 20.04

STEPS TO REPRODUCE

- name: Create Role
  community.elastic.elastic_role:
    login_user: "{{ES_USERNAME}}"
    login_password: "{{ES_PASSWORD}}"
    auth_scheme: "https"
    auth_method: "http_auth"
    #cafile: "{{ lookup('file', '{{CACERT}}') }}"
    cafile: "{{CACERT}}"
    login_hosts:
      - "{{ES_HOSTNAME}}"
    name: test
    cluster:
      - all
    indices:
      - names: "test-*"
        privileges:
        - all

EXPECTED RESULTS

Should connect to ES.
If I use curl with same parameters it works, so it's a problem in the library.

ACTUAL RESULTS

task path: /ansible/roles/elastic-users/tasks/main.yml:1
<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: root
<127.0.0.1> EXEC /bin/sh -c 'echo ~root && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /root/.ansible/tmp `"&& mkdir "` echo /root/.ansible/tmp/ansible-tmp-1658165047.6121874-3120-144718124182523 `" && echo ansible-tmp-1658165047.6121874-3120-144718124182523="` echo /root/.ansible/tmp/ansible-tmp-1658165047.6121874-3120-144718124182523 `" ) && sleep 0'
Using module file /root/.ansible/collections/ansible_collections/community/elastic/plugins/modules/elastic_role.py
<127.0.0.1> PUT /root/.ansible/tmp/ansible-local-3115fz480h5w/tmpgtnylhpq TO /root/.ansible/tmp/ansible-tmp-1658165047.6121874-3120-144718124182523/AnsiballZ_elastic_role.py
<127.0.0.1> EXEC /bin/sh -c 'chmod u+x /root/.ansible/tmp/ansible-tmp-1658165047.6121874-3120-144718124182523/ /root/.ansible/tmp/ansible-tmp-1658165047.6121874-3120-144718124182523/AnsiballZ_elastic_role.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '/usr/bin/python3 /root/.ansible/tmp/ansible-tmp-1658165047.6121874-3120-144718124182523/AnsiballZ_elastic_role.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c 'rm -f -r /root/.ansible/tmp/ansible-tmp-1658165047.6121874-3120-144718124182523/ > /dev/null 2>&1 && sleep 0'
The full traceback is:
  File "/tmp/ansible_community.elastic.elastic_role_payload_xtfc2w9s/ansible_community.elastic.elastic_role_payload.zip/ansible_collections/community/elastic/plugins/modules/elastic_role.py", line 247, in main
  File "/tmp/ansible_community.elastic.elastic_role_payload_xtfc2w9s/ansible_community.elastic.elastic_role_payload.zip/ansible_collections/community/elastic/plugins/module_utils/elastic_common.py", line 70, in connect
    auth = self.build_auth(self.module)
  File "/tmp/ansible_community.elastic.elastic_role_payload_xtfc2w9s/ansible_community.elastic.elastic_role_payload.zip/ansible_collections/community/elastic/plugins/module_utils/elastic_common.py", line 63, in build_auth
    context = create_default_context(module.params['cafile'])
  File "/usr/lib/python3.8/ssl.py", line 732, in create_default_context
    raise TypeError(purpose)
fatal: [localhost]: FAILED! => changed=false 
  invocation:
    module_args:
      applications: null
      auth_method: http_auth
      auth_scheme: https
      cafile: /usr/local/share/ca-certificates/ca.crt
      cluster:
      - all
      connection_options: []
      global_v: null
      indices:
      - names: test-*
        privileges:
        - all
      login_hosts:
      - elastic.local
      login_password: VALUE_SPECIFIED_IN_NO_LOG_PARAMETER
      login_port: 9200
      login_user: elastic
      metadata: null
      name: test
      run_as: null
      state: present
      timeout: 30
  msg: 'Elastic error: /usr/local/share/ca-certificates/ca.crt'

PLAY RECAP ********************************************************************************************************************************************************************************************************************
localhost                  : ok=0    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0   

[rhysmeister]

The line...

context = create_default_context(module.params['cafile'])

is incorrect. Function documenttion at https://docs.python.org/3/library/ssl.html#ssl.create_default_context

[cmanzur]

Exactly, are you planning to change this?

[rhysmeister]

Right at the moment no, I've got little time atm, but feel free to submit and PR & tests.

[linsomniac]

Note that "verify_certs" isn't an option in this case because of another bug in the handling of the "connection_options".